| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AU-9(2) |
FedRAMP_High_R4_AU-9(2) |
FedRAMP High AU-9 (2) |
Audit And Accountability |
Audit Backup On Separate Physical Systems / Components |
Shared |
n/a |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
Supplemental Guidance: This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
link |
1 |
| FedRAMP_High_R4 |
CP-9 |
FedRAMP_High_R4_CP-9 |
FedRAMP High CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| FedRAMP_Moderate_R4 |
AU-9(2) |
FedRAMP_Moderate_R4_AU-9(2) |
FedRAMP Moderate AU-9 (2) |
Audit And Accountability |
Audit Backup On Separate Physical Systems / Components |
Shared |
n/a |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
Supplemental Guidance: This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
link |
1 |
| FedRAMP_Moderate_R4 |
CP-9 |
FedRAMP_Moderate_R4_CP-9 |
FedRAMP Moderate CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| hipaa |
1618.09l1Organizational.45-09.l |
hipaa-1618.09l1Organizational.45-09.l |
1618.09l1Organizational.45-09.l |
16 Business Continuity & Disaster Recovery |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up |
Shared |
n/a |
The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. |
|
7 |
| hipaa |
1620.09l1Organizational.8-09.l |
hipaa-1620.09l1Organizational.8-09.l |
1620.09l1Organizational.8-09.l |
16 Business Continuity & Disaster Recovery |
1620.09l1Organizational.8-09.l 09.05 Information Back-Up |
Shared |
n/a |
When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. |
|
5 |
| hipaa |
1622.09l2Organizational.23-09.l |
hipaa-1622.09l2Organizational.23-09.l |
1622.09l2Organizational.23-09.l |
16 Business Continuity & Disaster Recovery |
1622.09l2Organizational.23-09.l 09.05 Information Back-Up |
Shared |
n/a |
The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. |
|
4 |
| hipaa |
1623.09l2Organizational.4-09.l |
hipaa-1623.09l2Organizational.4-09.l |
1623.09l2Organizational.4-09.l |
16 Business Continuity & Disaster Recovery |
1623.09l2Organizational.4-09.l 09.05 Information Back-Up |
Shared |
n/a |
Covered information is backed-up in an encrypted format to ensure confidentiality. |
|
3 |
| hipaa |
1624.09l3Organizational.12-09.l |
hipaa-1624.09l3Organizational.12-09.l |
1624.09l3Organizational.12-09.l |
16 Business Continuity & Disaster Recovery |
1624.09l3Organizational.12-09.l 09.05 Information Back-Up |
Shared |
n/a |
The organization performs incremental or differential backups daily and full backups weekly to separate media. |
|
3 |
| hipaa |
1908.06.c1Organizational.4-06.c |
hipaa-1908.06.c1Organizational.4-06.c |
1908.06.c1Organizational.4-06.c |
19 Data Protection & Privacy |
1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization documents and maintains (i) designated record sets that are subject to access by individuals, and (ii) titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six years. |
|
11 |
| hipaa |
19141.06c1Organizational.7-06.c |
hipaa-19141.06c1Organizational.7-06.c |
19141.06c1Organizational.7-06.c |
19 Data Protection & Privacy |
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. |
|
10 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
| ISO27001-2013 |
A.17.1.2 |
ISO27001-2013_A.17.1.2 |
ISO 27001:2013 A.17.1.2 |
Information Security Aspects Of Business Continuity Management |
Implementing information security continuity |
Shared |
n/a |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
link |
18 |
| ISO27001-2013 |
A.18.1.3 |
ISO27001-2013_A.18.1.3 |
ISO 27001:2013 A.18.1.3 |
Compliance |
Protection of records |
Shared |
n/a |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. |
link |
15 |
| NIST_SP_800-171_R2_3 |
.3.8 |
NIST_SP_800-171_R2_3.3.8 |
NIST SP 800-171 R2 3.3.8 |
Audit and Accountability |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.8.9 |
NIST_SP_800-171_R2_3.8.9 |
NIST SP 800-171 R2 3.8.9 |
Media Protection |
Protect the confidentiality of backup CUI at storage locations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. |
link |
8 |
| NIST_SP_800-53_R4 |
AU-9(2) |
NIST_SP_800-53_R4_AU-9(2) |
NIST SP 800-53 Rev. 4 AU-9 (2) |
Audit And Accountability |
Audit Backup On Separate Physical Systems / Components |
Shared |
n/a |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
Supplemental Guidance: This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
link |
1 |
| NIST_SP_800-53_R4 |
CP-9 |
NIST_SP_800-53_R4_CP-9 |
NIST SP 800-53 Rev. 4 CP-9 |
Contingency Planning |
Information System Backup |
Shared |
n/a |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.
References: NIST Special Publication 800-34. |
link |
9 |
| NIST_SP_800-53_R5 |
AU-9(2) |
NIST_SP_800-53_R5_AU-9(2) |
NIST SP 800-53 Rev. 5 AU-9 (2) |
Audit and Accountability |
Store on Separate Physical Systems or Components |
Shared |
n/a |
Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. |
link |
1 |
| NIST_SP_800-53_R5 |
CP-9 |
NIST_SP_800-53_R5_CP-9 |
NIST SP 800-53 Rev. 5 CP-9 |
Contingency Planning |
System Backup |
Shared |
n/a |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
link |
9 |
| PCI_DSS_v4.0 |
10.3.3 |
PCI_DSS_v4.0_10.3.3 |
PCI DSS v4.0 10.3.3 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are protected from destruction and unauthorized modifications |
Shared |
n/a |
Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify. |
link |
5 |
| SOC_2 |
PI1.5 |
SOC_2_PI1.5 |
SOC 2 Type 2 PI1.5 |
Additional Criteria For Processing Integrity |
Store inputs and outputs completely, accurately, and timely |
Shared |
The customer is responsible for implementing this recommendation. |
• Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.
• Archives and Protects System Records — System records are archived and archives
are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.
• Stores Data Completely and Accurately — Procedures are in place to provide for
the complete, accurate, and timely storage of data.
• Creates and Maintains Records of System Storage Activities — Records of system
storage activities are created and maintained completely and accurately in a timely
manner |
|
10 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
| SWIFT_CSCF_v2022 |
2.4 |
SWIFT_CSCF_v2022_2.4 |
SWIFT CSCF v2022 2.4 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. |
link |
7 |
| SWIFT_CSCF_v2022 |
2.5 |
SWIFT_CSCF_v2022_2.5 |
SWIFT CSCF v2022 2.5 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
Shared |
n/a |
Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. |
link |
7 |